Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
This feature is in public preview. For more information, see Public preview in Microsoft Intune.
The Vulnerability Remediation Agent for Security Copilot in Intune uses data from Microsoft Defender Vulnerability Management to identify Common Vulnerabilities and Exposures (CVEs) on your managed devices. The results are prioritized for remediation and include step-by-step instructions to guide you in using Intune to remediate the threat. This Copilot Agent can help you reduce the time it takes to investigate, identify, and remediate threats, ultimately improving your organization's overall security posture.
When the agent runs, it analyzes data from Microsoft Defender Vulnerability Management and provides a prioritized list of suggestions that appear in the Intune admin center. You can drill in to each suggestion to view details that include:
- The count of associated vulnerabilities (CVEs)
- A Copilot-assisted summarized impact analysis
- Suggested actions
- Affected systems
- Exposed devices
- Potential impact
- Step-by-step guidance for using Intune to remediate it
After you remediate an agent suggestion, you can mark it as applied to have the agent retain a record you can use in tracking remediation actions over time.
Because CVE details and recommended remediation guidance can change over time, subsequent runs of the agent might provide new details, device counts, and remediation steps. As you manage subsequent reports of threats, the record of your previously applied solutions can help you track the change to specific risks based on your previous remediations.
Tip
You can access the Vulnerability Remediation Agent in the Intune admin center from both the Agents and Endpoint security nodes. Each path provides access to the same agent. In this documentation, references to its location use the Agents node.
This article:
- Lists the prerequisites to use the agent
- Explains how the agent works
- Describes the agent identity model
- Shows you how to set up the agent
- Shows you how to remove the agent
For information about other Security Copilot Agents in Intune and common features, see Security Copilot agents in Microsoft Intune.
Prerequisites
Cloud requirements
The agent supports only the public cloud. It doesn't support government clouds.
Licensing requirements
To use Security Copilot agents in Intune, you need the following licenses:
- Microsoft Intune Plan 1 subscription
- Microsoft Security Copilot with sufficient security compute units (SCUs)
- Microsoft Defender Vulnerability Management - This capability is provided by Microsoft Defender for Endpoint P2 or Defender Vulnerability Management Standalone.
Plugins requirements
Plugins enable Security Copilot agents to connect with Microsoft services and perform specialized actions. This agent requires the following plugins:
If you use Copilot in Intune, the Intune plugin is already enabled. Learn more about plugins.
Device platform requirements
The Vulnerability Remediation Agent supports evaluation and recommendations for the following platforms and applications:
- Windows
- Apps in Intune
Roles requirements
To set up and manage the agent, use an account with the following roles:
Intune roles:
- Read Only Operator or a Custom role with the following permissions:
- Security Tasks / read
- Mobile apps / read
- Device configurations / read
- Organization / read
Security Copilot roles:
To run the agent, the agentic user must be delegated the following permissions. Assign these permissions outside of the Vulnerability Remediation Agent flow, in the Microsoft Entra and Microsoft Defender admin centers.
- Read Only Operator or a Custom role with the following permissions:
- Mobile apps / read
- Device configurations / read
Defender roles:
- The agentic user must be assigned permissions that align with Microsoft Defender XDR RBAC configurations:
- Granular RBAC: Custom RBAC role with permissions equivalent to the Unified RBAC Security Reader role
To view results, use an account with the following roles:
- Read Only Operator or a Custom role with the following permissions:
- Security Tasks / read
- Mobile apps / read
- Device configurations / read
- Organization / read
How the agent works
The Vulnerability Remediation Agent performs automated evaluations to identify and prioritize vulnerabilities on your managed devices. Here's how it works:
1. Data collection - The agent collects vulnerability data from Defender Vulnerability Management, analyzing Common Vulnerabilities and Exposures (CVEs) across your managed devices.
2. Analysis and prioritization - The agent evaluates vulnerability data and prioritizes threats based on factors like CVSS scores, exposure impact, and device count to focus on the most critical issues first.
3. Remediation guidance - For each identified vulnerability, the agent provides step-by-step remediation instructions tailored to Intune capabilities, including policy recommendations and configuration guidance.
4. Tracking and reporting - The agent maintains records of suggested remediations and allows you to track applied solutions over time, helping measure security improvement efforts.
Agent identity
The Vulnerability Remediation Agent uses Microsoft Entra agentic identity, a specialized identity in Microsoft Entra ID that lets the agent operate securely and independently. During setup, the agent provisions an agentic identity (and corresponding agentic user) in your tenant's Entra directory. The agent runs under the permissions delegated to this agentic user rather than under a human user account.
Note
If your agent currently uses a human user identity, you must transition to an agentic identity before support for human user identity expires. For the deadline, steps, and what changes, see Transition existing agents to agentic identity.
The agent behavior is limited to the permissions and scope tag assigned to its agentic user. After setup, you must delegate the required permissions to the agentic user in the Entra and Defender admin centers. For the list of required permissions, see Prerequisites.
If an issue arises with the current agent identity that you can't resolve, you must remove the agent and set it up again. For more information, see Remove the agent.
Important
Until you delegate all required permissions to the agentic user, agent runs are disabled. You must assign the required permissions and pass the Run Readiness Check before you can run the agent.
Transition existing agents to agentic identity
Existing agent instances that you set up before the release of agentic identity run under a human user identity. You need to transition these agents to an agentic identity. Here's what you need to know:
- Deadline — Human user identity authentication expires 90 days after the release of agentic identity. After this date, agents that aren't transitioned can't run.
- No more human user assignment — After the 90-day expiration, the options to assign a human user identity, change identity, or renew a human user identity token aren't available. When the token renewal message appears, admins are directed to switch to an agentic identity instead.
- Permanent change — After an agent is switched to an agentic identity, it can't revert to a human user identity.
- Run history is preserved — Transitioning to an agentic identity doesn't affect the agent's run history.
A banner appears on the agent page to surface the availability of agentic identity for agents that still use a human user identity.
To switch from a human user identity to an agentic identity:
- In the Intune admin center, go to Agents > Vulnerability Remediation Agent (preview) and select the Settings tab. You must have the Security Copilot workspace Owner role and Intune read permissions.
- Select Create new identity to provision a new agentic identity and agentic user. The agent automatically switches to use the new identity.
- Delegate the required permissions to the agentic user in the Entra and Defender admin centers. For the list of required permissions, see Prerequisites.
- Use the Run Readiness Check button to verify that permissions are correctly delegated. For more information, see Run Readiness Check.
Run Readiness Check
After you delegate the required permissions to the agentic user, use the Run Readiness Check button to verify that permissions are correctly configured. When the readiness check completes successfully, the Run button and the option to schedule runs are enabled.
Recover a deleted agent identity
If the agentic identity is accidentally deleted in Entra, try to recover it in the Entra admin center. If recovery isn't possible, you must remove the agent and set it up again to provision a new identity.
Set up the agent
During setup, the agent creates an agentic identity (and corresponding agentic user) in your tenant's Entra directory. The setup page displays the required permissions, plugins, and workspace information. It includes messaging that highlights the need to delegate permissions before a successful agent run. To set up the agent, you must have the permissions listed under set up and manage in Prerequisites.
To set up the agent:
In the Microsoft Intune admin center, go to Agents > Vulnerability Remediation Agent.
In Overview, select Set up Agent. This pane displays details about the agent including the required permissions and plugins.
Review the details to ensure requirements are in place, and then select Start agent to close the setup pane and start the first run of the agent.
After setup completes, delegate the required permissions to the agentic user in the Entra and Defender admin centers. For the list of required permissions, see Prerequisites.
Tip
Use the Run Readiness Check button to verify that permissions are correctly delegated before running the agent. For more information, see Run Readiness Check.
When setup is complete and permissions are delegated, the agent is ready to use. To learn more about using the agent, see Use the Vulnerability Remediation Agent.
Operational considerations
Before running the Vulnerability Remediation Agent, keep these points in mind:
- An admin must manually start the agent. After the agent starts, there are no options to stop or pause it.
- You can start the agent only from within the Intune admin center.
- Associated CVEs contain the count of CVEs on devices with Windows client operating system editions but don't include devices with Windows Server editions. CVEs are classified as Low, Medium, High, and Critical according to the CVSS (Common Vulnerability Scoring System) scale.
- The exposed device list includes only devices found in Entra that aren't Windows Server editions.
- The agent doesn't support scope tags in public preview.
Important
Admins who access the Intune admin center can see data that the agent reports through agent suggestions. This data might be visible even when it's outside the admin's assigned Intune roles or scope.
Remove the agent
If an issue arises with the agent's agentic identity that can't be resolved, you must remove the agent and set it up again to provision a new identity. Removing the agent deletes the current agentic identity and its associated agentic user from your tenant.
Note
For agents that still use a human user identity, see Transition existing agents to agentic identity for information about identity expiration and migration.
To remove the agent:
- In the Microsoft Intune admin center, select Agents.
- Select the agent instance you want to remove.
- Select Remove agent and confirm the removal.
After removal, the agent pane returns to its original state. An admin can reinstall the agent later by repeating the setup process.